E-commerce businesses collect personal data at every stage of the customer journey — browsing, account creation, checkout, delivery, and post-sale marketing. Every one of these touchpoints triggers GDPR obligations. With the EDPB’s 2026 Coordinated Enforcement Framework specifically targeting transparency and information obligations across 25 DPAs, ecommerce GDPR compliance is under direct regulatory scrutiny.
Key Takeaways
- E-commerce businesses need a valid legal basis for every data processing activity: Art. 6(1)(b) for order fulfilment, Art. 6(1)(a) or Art. 6(1)(f) for marketing, and consent under the ePrivacy Directive for cookies and tracking.
- Cookie consent must be obtained before setting non-essential cookies — pre-ticked boxes and “browsing equals consent” do not comply with the CJEU Planet49 ruling.
- Payment processor agreements must meet Art. 28 GDPR requirements — every third-party service (Stripe, PayPal, logistics providers) needs a Data Processing Agreement.
- Cross-border selling to EU customers triggers GDPR regardless of where the business is established (Art. 3(2)).
- Customer data retention periods must be defined and enforced — indefinite storage of order data violates Art. 5(1)(e).
Step 1: Cookie Consent for E-Commerce
Cookie compliance is the most visible GDPR obligation for e-commerce sites, and the most frequently enforced.
What the Law Requires
The ePrivacy Directive (2002/58/EC), as interpreted by the CJEU in Planet49 (C-673/17, October 2019), requires:
- Prior consent before setting non-essential cookies (analytics, advertising, tracking pixels)
- Consent must be freely given, specific, informed, and unambiguous — matching the GDPR Art. 4(11) standard
- Pre-ticked boxes are invalid — the Planet49 ruling explicitly rejected them
- Users must be able to refuse cookies as easily as they accept them — CNIL has enforced this requirement with fines against Google (EUR 150 million, December 2021) and Facebook (EUR 60 million, December 2021) for making rejection harder than acceptance
E-Commerce-Specific Cookie Issues
| Cookie Type | Legal Basis | Notes |
|---|---|---|
| Session/cart cookies | Strictly necessary — no consent needed | Must be genuinely necessary for the service |
| Analytics (GA4, Matomo) | Consent required | Even “anonymised” GA4 still requires consent in most EU DPA interpretations |
| Retargeting pixels (Meta, Google Ads) | Consent required | Transfers data to US-based processors — additional safeguards needed |
| Affiliate tracking | Consent required | Often overlooked; creates cross-site tracking |
| A/B testing tools | Consent required | Unless purely functional with no personal data |
For a deeper guide on consent mechanisms, see our article on how to get valid consent under GDPR.
Step 2: Checkout Data Collection
The checkout process is where e-commerce businesses collect the most sensitive personal data: names, addresses, email, phone numbers, and payment information.
Legal Basis for Order Processing
Fulfilling a purchase order relies on Art. 6(1)(b) — contract performance. You do not need consent to process data strictly necessary for delivering the order. This covers:
- Name and delivery address
- Email for order confirmation and shipping updates
- Payment data (processed by the payment processor)
- Phone number if required for delivery
What Art. 6(1)(b) does not cover:
- Marketing emails to the customer after purchase
- Sharing customer data with advertising partners
- Retaining data beyond what is necessary for order fulfilment and legal obligations
- Creating customer profiles for personalisation
Data Minimisation at Checkout
Art. 5(1)© requires collecting only data that is adequate, relevant, and limited to what is necessary. Common violations in e-commerce:
- Mandatory date of birth for purchases that do not require age verification
- Mandatory phone number when delivery does not require it
- Forced account creation — customers must be able to check out as guests
- Collecting gender/title when it serves no processing purpose
Step 3: Payment Processor Agreements
Every e-commerce business uses at least one payment processor (Stripe, PayPal, Adyen, Mollie). These are data processors under GDPR, and Art. 28 requires a written Data Processing Agreement for each one.
What Your DPA Must Cover
Under Art. 28(3) GDPR, the DPA with your payment processor must specify:
- Subject matter and duration of processing
- Types of personal data processed (cardholder name, card number, transaction data)
- Categories of data subjects (customers)
- Documented instructions — the processor acts only on your instructions
- Sub-processor authorisation — payment processors often use sub-processors for fraud detection, which requires your authorisation
- Security measures — PCI DSS compliance is necessary but not sufficient for GDPR
- Data deletion at end of relationship
Beyond Payment: All Processor Relationships
E-commerce businesses typically have 10-20 processor relationships that each require a DPA:
- Payment providers (Stripe, PayPal)
- Shipping/logistics (DHL, UPS, local carriers)
- Email marketing (Mailchimp, Brevo, Klaviyo)
- Customer support platforms (Zendesk, Intercom)
- Analytics tools (Google Analytics, Hotjar)
- Review platforms (Trustpilot, Verified Reviews)
- Cloud hosting (AWS, Shopify, WooCommerce hosting)
Tracking and maintaining DPAs across this many vendors is where manual compliance breaks down. Legiscope automates DPA management and tracks processor compliance status across all vendor relationships, flagging missing or expired agreements.
Step 4: Cross-Border Selling and Data Transfers
E-commerce is inherently cross-border. Selling to customers in multiple EU member states — or using US-based service providers — triggers specific GDPR obligations.
Territorial Scope: Art. 3(2)
GDPR applies to any business offering goods or services to EU residents, regardless of where the business is established. A US-based Shopify store that ships to France is subject to GDPR for French customer data. Indicators that trigger Art. 3(2) include:
- Offering prices in EUR
- Providing delivery to EU addresses
- Using EU-specific payment methods
- Translating the website into EU languages
Data Transfers Outside the EU
Most e-commerce businesses transfer personal data outside the EU through their tech stack (US-based SaaS tools, cloud hosting, marketing platforms). Under Chapter V GDPR, these transfers require:
- An adequacy decision (e.g., EU-US Data Privacy Framework for certified US companies)
- Standard Contractual Clauses (SCCs) — the most common mechanism
- Binding Corporate Rules for intra-group transfers
For detailed guidance, see our article on cross-border data transfers under GDPR.
The Schrems II ruling (C-311/18, July 2020) invalidated the EU-US Privacy Shield and required supplementary measures when SCCs alone are insufficient. The EU-US Data Privacy Framework (adopted July 2023) provides a new adequacy basis for certified US companies, but organisations should verify that each US processor is certified.
Step 5: Customer Data Retention
Art. 5(1)(e) GDPR prohibits keeping personal data longer than necessary for its purpose. E-commerce businesses must define and enforce retention periods for every data category.
Recommended Retention Framework
| Data Category | Purpose | Retention Period | Legal Basis |
|---|---|---|---|
| Order/transaction data | Contract fulfilment, warranty | Duration of warranty/guarantee period | Art. 6(1)(b) |
| Tax/accounting records | Legal obligation | 6-10 years depending on national law (e.g., 10 years in Germany, 6 years in UK) | Art. 6(1)© |
| Customer account data | Ongoing service | Until account deletion + reasonable grace period | Art. 6(1)(b) |
| Marketing contact data | Direct marketing | Until consent withdrawal or 3 years of inactivity (CNIL guidance) | Art. 6(1)(a) or (f) |
| Web analytics data | Performance analysis | 14-26 months maximum | Consent |
| Customer support tickets | Service quality | 2-3 years after resolution | Art. 6(1)(f) |
Common violation: Retaining complete customer profiles indefinitely “in case they come back.” CNIL fined Carrefour EUR 2.25 million in 2020 partly for retaining customer data beyond defined periods and lacking a clear data retention policy.
Practical Implementation
- Configure automated data purging in your e-commerce platform
- Anonymise order data after the legal retention period — keep aggregate sales data without personal identifiers
- Implement customer-facing account deletion that actually deletes (not just deactivates)
- Document retention periods in your privacy notice
Step 6: Privacy Notices and Transparency
Art. 13 GDPR requires providing specific information at the point of data collection. For e-commerce, this means clear privacy notices at:
- Account registration
- Checkout (for guest purchases)
- Newsletter signup
- Contact forms
- Cookie banner (linking to full cookie policy)
The EDPB’s 2026 enforcement action specifically targets transparency compliance. Ensure your privacy notice includes: controller identity, DPO contact, purposes and legal bases, data recipients, transfer safeguards, retention periods, and data subject rights.
Step 7: Handling Data Subject Rights
E-commerce customers have the full range of GDPR rights (Art. 15-22). The most common requests:
- Right of access (Art. 15) — provide all personal data within one month
- Right to erasure (Art. 17) — delete customer data on request (subject to legal retention obligations)
- Right to data portability (Art. 20) — export order history in machine-readable format
Failure to respond within one month is an independent violation. The AEPD (Spanish DPA) has issued multiple fines to e-commerce businesses for late or incomplete responses to access requests.
FAQ
What are the main GDPR obligations for e-commerce businesses?
E-commerce businesses must: identify a legal basis for all data processing (Art. 6), provide compliant privacy notices at point of collection (Art. 13), manage cookie consent under ePrivacy rules, enter DPAs with all processors including payment and shipping providers (Art. 28), enforce defined data retention periods (Art. 5(1)(e)), and honour data subject rights within one month (Art. 12(3)).
Does GDPR apply to non-EU e-commerce businesses selling to EU customers?
Yes. Art. 3(2) GDPR covers any business offering goods or services to EU residents, regardless of where the business is established. A US or UK e-commerce site shipping to France is subject to GDPR for the data of its French customers. Offering EU delivery, EUR pricing, or EU language options are indicators of targeting.
What legal basis applies to e-commerce order processing?
Fulfilling a purchase order relies on Art. 6(1)(b) — contract performance. Post-purchase marketing emails to existing customers can use legitimate interests (Art. 6(1)(f)) with an opt-out mechanism, or consent (Art. 6(1)(a)). Cart abandonment emails to non-customers require consent under ePrivacy rules.
How long can e-commerce businesses keep customer data?
There is no single answer. Order data can be kept for warranty/guarantee periods under Art. 6(1)(b). Tax records must be kept for 6-10 years depending on national law (Art. 6(1)©). Marketing data should be purged after consent withdrawal or prolonged inactivity — CNIL considers 3 years of inactivity the maximum. Indefinite retention without justification violates Art. 5(1)(e).
Conclusion
Ecommerce GDPR compliance requires action across every customer touchpoint: cookie consent before tracking, minimised data collection at checkout, DPAs with every processor, lawful cross-border transfer mechanisms, and enforced retention periods. The 2026 EDPB enforcement wave targeting transparency makes this the wrong year to have gaps in your privacy notices or consent flows. Systematically mapping your processing activities and maintaining current documentation is the foundation — Legiscope automates this mapping and flags compliance gaps across your entire e-commerce data processing chain.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
